xmlrpc.php is only in use, if the user uses the wordpress app.

if the app is not used, it would be wise to disable this file, because it is frequent target of brute force (trying out a billion passwords) attacks, also causing unecessary traffic and energy usage in datacenters.

(this should be DEFAULT on every wordpress installation X-D either by wordpress themselves or the datacenter operators)

btw: DELETING the xmlrpc.php is no option, as it will re appear with every wordpress update (that should be done in timely manner in order to not get hacked & site defaced)


at the end of the already existing wordpress .htaccess in the wordpress installation directory, add this:

# END WordPress <- after this

<Files xmlrpc.php>
order deny,allow
deny from all

so the file looks like this:

# BEGIN WordPress
# The directives (lines) between "BEGIN WordPress" and "END WordPress" are
# dynamically generated, and should only be modified via WordPress filters.
# Any changes to the directives between these markers will be overwritten.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]

# END WordPress

<Files xmlrpc.php>
order deny,allow
deny from all



liked this article?

  • only together we can create a truly free world
  • plz support dwaves to keep it up & running!
  • (yes the info on the internet is (mostly) free but beer is still not free (still have to work on that))
  • really really hate advertisement
  • contribute: whenever a solution was found, blog about it for others to find!
  • talk about, recommend & link to this blog and articles
  • thanks to all who contribute!